Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
0
Helpful
1
Replies

NAT and IPSEC Preference

bapatsubodh
Level 1
Level 1

‎10-03-2007 10:49 AM - edited ‎02-21-2020 03:18 PM

Hi,

We are using 3845 router with 2 eth ports for IPSEC tunnel formation. Traffic arrives or leaves from Gig0/0 is enrypted. Crypto map is applied on gig0/0. (Traffic defined by Access-lists.) Then traffic is routed to Giga0/1 for further routing. This is working ok.

But now we are facing a problem as we are required to do Dest-NAT on these packets. When packets are arrived on Giga0/0 those should be decrypted first and then those should be Dest-Nated. That is after decryption has taken place we will replace the destination address in the packet and then route those packets to gig0/1. When the reply will come to these packets router shoud first do the nating and then encrypt and then route those out from Giga 0/0.

If the sequence is correct then only those packets will be encrypted.

As the packets to be encrypted or decrypted is decided by access-list. And all access lists are configured with existing IP addressing sceme it is not possible to change. So we have come up to new option of NAT. In short it will look like following

packet coming from outside world with destination as A.b.C.D is received on Gigi0/0 --> as per access list it matches the ip address Destination A.B.C.D then it is de-crypted. ----> then sent to Gigi0/1 for further routing. This is ok.

What we are looking for is some thing like this.

Packet comes from world with destination address A.B.C.D , it is received on Giga 0/0 ---> Access list is matched so a packet is decrypted ---> now change Destination IP address pf packet from A.B.C.D to new IP address as P.Q.R.S and then route it to Giga 0/1 for further routing. Similar when packet is coming back ( source and destination address swapped ) on Giga 0/1 ---> Replace Source Address by A.B.C.D --> Then this packet will match access-list and then it will be encrypted and will be sent from where is came from i.e to giga0/0. So in all this preference is important. if ip nat inside or outside are applied on interfaces and also crypto map is applied on Gig 0/0 which will take preference or can we configure it as the way we what.

Thanx in advance

Subodh

Labels:
0 Helpful
1 Reply 1

vkapoor5
Level 5
Level 5

‎10-10-2007 09:05 AM

This sample configuration shows how to encrypt traffic between two private networks (10.50.50.x and 10.103.1.x) using IPSec. The networks know each other by their private addresses.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml

0 Helpful
Customers Also Viewed These Support Documents